Configuring a Password Policy

You can configure a password policy for:

  • Your own users: your direct child reseller or customer account users
  • Child account users: your reseller or customer account users.

To configure a password policy, complete the following steps:

  1. In Operations PCP, go to Services > Identity Service > Password Policy.
  2. Specify the following password-related settings:

    • General Settings

      • Minimum password length: the minimum length for a password to be valid.
      • Blacklist weak passwords: a password is verified as not existing in the fixed and pre-defined blacklist.
      • Prohibit username-based passwords: a username cannot be used as a password.
    • Required Character Types

      • Digits: digits are required for a password to be valid.
      • Uppercase: uppercase characters are required for a password to be valid.
      • Lowercase: lowercase characters are required for a password to be valid.
      • Special symbols: special symbols are required for a password to be valid, they are ()[]#,.;@&*-_+!.

        Important: A password must include at least one character from this group.

    • Password Expiration

      • Password expiration: if selected, a password will have an expiration period.
      • Expiration period, days: the number of days after which a password is considered expired.
      • Number of previous passwords to prohibit: the number of previously used passwords that cannot be used as a new password.
    • Two-Factor Authentication

      • Enable: if selected, a two-factor authentication is enabled. For more information, refer to keycloak documentation.
      • One Time Password Type: Select Time Based or Counter Based.
      • Look-ahead Window:
        • For Time Based: Specify how many intervals ahead should the server try to match the hash.
        • For Counter Based Specify how many counters ahead should the server try to match the hash.
      • Initial Counter (for Counter Based only): Specify the value of the initial counter.

        Note:
        For the time-based type, the following applications are supported:
        - FreeOTP
        - Google Authenticator
        - Microsoft Authenticator
        For the counter-based type, the following application is supported:
        - FreeOTP

        Resetting One-Time Password

        In case of a user's smartphone is lost, or in the other circumstances, you can reset a one-time password (OTP) setting. To do this, complete the following steps:

        1. Log in to the Keycloak administration panel.
        2. Open a security realm that corresponds to a brand in which a user needs to log in.
        3. Go to Users and click the user account.
        4. Go to Credentials. Under Manage Credentials, find credentials with the OTP type and delete it to reset the OTP for the user.